Multi-Service Tradeoff — Azure Administrator (AZ-104)

Whether to use Entra ID dynamic group membership rules (requires P1/P2 license) or Azure PowerShell-scripted static group membership (works on free tier) when the scenario explicitly prohibits premium license spend.

Select the narrowest built-in RBAC role scoped to the subscription that grants sufficient Azure Policy management permissions without also conferring general resource write or delete rights.

Whether attribute-based dynamic group rules reduce net operational burden or transfer it to a hidden dependency chain of HR-attribute accuracy, sync pipeline reliability, evaluation latency, and Entra ID P1 licensing — each of which adds coordination cost absent from a scheduled batch script.

Assign Virtual Machine Contributor scoped to the target resource group rather than assigning the broader Contributor role at the same resource-group scope or assigning any role at subscription scope.

Whether to configure Entra ID dynamic group membership rules (which implicitly require an Entra ID P1 license) or to automate static group membership updates via Azure PowerShell scripts that run within the Entra ID Free tier.

Whether to assign the Reader role once to a Microsoft Entra ID security group at subscription scope or to assign the Reader role individually to each user on each resource group, where the group-based single assignment satisfies least-privilege and eliminates per-rotation management burden.

Whether to use Entra ID dynamic group membership rules or a scripted assigned-group update approach to satisfy a free-tier license constraint for automated user lifecycle management.

Determine whether a custom RBAC role that explicitly excludes Key Vault secret and key read actions is necessary to satisfy least privilege, or whether the built-in Reader role at subscription scope already provides the required access boundary without exposing Key Vault data-plane content.

Whether to configure a Blob Storage lifecycle management policy that tiers blobs to Cool or Archive after the 7-day active window, rather than retaining every object in Hot tier for the full 90-day retention period.

Whether Azure Files share snapshots alone satisfy the 14-day file-level recovery requirement at lower operational cost than coupling Azure Files to a Recovery Services Vault, given that the scenario constrains scope to a single-region SMB share with no VM-level or cross-region recovery need.

Whether ACI's fixed per-container-group allocation satisfies a scale-to-zero and traffic-splitting constraint, or whether Container Apps' managed scaling and ingress rules are required — with ACI being the over-provisioning trap and Container Apps the right-sized answer.

Whether the workload's event-driven scaling requirement and blue/green revision lifecycle are better satisfied by ACI with externally managed orchestration components or by Container Apps with those capabilities built in, given the team has no capacity to operate additional infrastructure.

Whether to use Azure Container Apps with HTTP-triggered KEDA autoscaling (including scale-to-zero) or Azure Container Instances with a fixed replica count sized for peak load — the correct choice turns entirely on whether the service can eliminate idle capacity cost during the 16-hour zero-traffic window.

Whether Azure Container Instances or Azure Container Apps is the right compute surface when the workload explicitly requires revision-based traffic splitting and scale-to-zero HTTP scaling, with operational overhead as the dominant tiebreaker.

Whether to front the backend application tier with an internal Azure Load Balancer carrying a private frontend IP, or with a Standard Azure Load Balancer assigned a Public IP Address.

Choose an internal Standard Load Balancer fronted by an Azure Private DNS zone rather than a public load balancer or a custom DNS server VM, because the internal LB + private zone pairing fully satisfies private-scope HA and name resolution with zero self-managed infrastructure overhead.

Determine whether the 24-hour RPO, 4-hour file-restore RTO, and cost-minimization constraint is best satisfied by scheduled snapshot backup (Azure Backup via Recovery Services Vault) or by continuous VM replication (Azure Site Recovery), recognizing that continuous replication over-provisions resilience and cost well beyond what the stated targets require.

Choose Azure Backup Vault with a managed disk snapshot policy rather than Azure Site Recovery or Recovery Services Vault VM backup, because the 4-hour RPO and 2-hour disk-level RTO are fully satisfied by periodic snapshots without the cost and complexity of continuous replication.

Whether the stated 4-hour RTO, 24-hour RPO, and granular file-restore requirement is fully satisfied by a periodic Azure Backup policy stored in a Recovery Services Vault, or whether it demands the continuous-replication overhead of Azure Site Recovery.

Whether geo-redundant storage (GRS) configured on a Recovery Services Vault backup policy satisfies the stated secondary-region durability, 24-hour RPO, and 8-hour RTO constraints, making continuous cross-region VM replication via Azure Site Recovery an over-engineered choice.